An increasing number of hardware and software vendors have formal bug bounty programs. Google, for example, runs its own vulnerability rewards program, and Microsoft has multiple bug bounties covering Office 365, Azure, .NET and Edge as general programs covering exploits and defenses.

And the U.S. Department of Defense (DoD) set up its first bug bounty after several years of watching the software industry, says Katie Moussouris, now CEO of Luta Security. She previously created similar programs for Microsoft and Symantec, worked with the FDA to create market guidance around vulnerability disclosure for medical devices and helped the DoD prepare for their bug bounty while working at HackerOne. “The DoD was curious about those programs were effective, whether the folks participating in it were acting in good faith,” she tells CIO. “They wanted to take what was working in the private sector and fast track that into the DoD.”

“Bug bounties are really just a subset of vulnerability disclosure with a particular incentive. They can be a useful tool. Just like any other incentive program, you're trying to incent certain types of behavior, certain types of bugs,” Moussouris says.